Confirmed users
396
edits
PFS2: Difference between revisions
m
→Related Information: use wiki links and {{bug}} template
(Adding background information) |
m (→Related Information: use wiki links and {{bug}} template) |
||
| (12 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
PFS2 is a simple HTTP service intended to: | |||
# Assist in finding plugins for MIME types whose handling is unknown to the client | |||
# Offer version and security vulnerability data on installed plugins for upgrade recommendations | |||
__TOC__ | |||
= Server = | = Server = | ||
== | The server side of PFS2 maintains a database of plugins and plugin releases. | ||
* [http:// | These records are indexed by MIME type, and a set of client application details | ||
that help identify the most appropriate versions of plugins for a given | |||
platform, OS, locale, & etc. | |||
* Production URL: http://www.mozilla.com/plugincheck/ | |||
* Staging URL: http://pfs2.stage.mozilla.com/ | |||
* Source code (in SVN): http://svn.mozilla.org/projects/pfs2/trunk/ | |||
* DB Schema (in SVN): http://svn.mozilla.org/projects/pfs2/trunk/conf/schema.sql | |||
== Installation == | |||
* Requirements | |||
** Apache | |||
** PHP 5.2+ (both web server and CLI) | |||
** MySQL 5.x | |||
** Memcached | |||
* Configure Apache's document root to point at <tt>htdocs</tt> | |||
* Create a MySQL database from schema | |||
mysqladmin -uroot -p create pfs2 | |||
mysql -uroot -p pfs2 -e "grant all privileges on pfs2.* to pfs2@'localhost' identified by 'pfs2';" | |||
mysql -uroot -p pfs2 < conf/schema.sql | |||
* Update configuration | |||
cp conf/config.php-dist conf/config.php | |||
# edit the config file to reflect master and shadow databases, | |||
# as well as memcache server | |||
vim conf/config.php | |||
* Update database from plugin definitions | |||
php bin/update-db.php | |||
== Request Parameters == | |||
Queries against PFS2 are performed using HTTP GET, with the following parameters supported: | |||
; <tt>mimetype</tt> : A space-separated list of mimetypes for a plugin. (Note: space can be encoded as <tt>+</tt> in URLs.) | |||
; <tt>clientOS</tt> : The client's OS (eg. <tt>navigator.oscpu</tt>, "Windows NT 5.1", "Intel Mac OS X 10.5") | |||
; <tt>chromeLocale</tt> : The client's locale (eg. <tt>navigator.language</tt>) | |||
; <tt>appID</tt> : The client's app ID (eg. <tt>navigator.'''???'''</tt> (userAgent?), Firefox is "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}") | |||
; <tt>appRelease</tt> : Client app release version (eg. <tt>navigator.'''???'''</tt> (userAgent?), "3.5.3") | |||
; <tt>appVersion</tt> : Client's application build version (eg. <tt>navigator.buildID</tt>, "20090824085414") | |||
; <tt>callback</tt> : Function wrapper for JSON output, (see also: [http://bob.pythonmac.org/archives/2005/12/05/remote-json-jsonp/ JSONP technique]) | |||
=== Example request === | |||
Line breaks added for clarity: | |||
curl -s 'http://dev.pfs2.mozilla.org/? | |||
mimetype=application/x-shockwave-flash& | |||
appID=%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D& | |||
appVersion=2008052906& | |||
appRelease=3.5& | |||
clientOS=mac& | |||
chromeLocale=ja-JP' | |||
== Response Format == | |||
The response MIME type for PFS2 is either <tt>application/json</tt>, or | |||
<tt>text/javascript</tt> if the <tt>callback</tt> parameter is non-empty. | |||
The top-level JSON payload is an object pairing plugin identifiers (<tt>pfs_id</tt>s) | |||
each with an object describing a plugin's releases and known aliases. Note | |||
that the <tt>pfs_id</tt> values are unique only to PFS2, and simply serve as | |||
a way to organize plugins that may change names and other attributes between | |||
releases. | |||
=== Overall structure === | |||
Plugin descriptions have the following overall structure: | |||
[ | |||
{ | |||
"aliases": { | |||
"literal": [ ... ], | |||
"regex": [ ... ] | |||
}, | |||
"releases": { | |||
"latest": { ... }, | |||
"others": [ ... ] | |||
} | |||
} | |||
] | |||
=== Plugin name aliases === | |||
The <tt>aliases</tt> property consists of lists of names by which the | |||
plugin has been called, separated into exact matches (<tt>literal</tt>) and | |||
regular expressions for pattern matches (<tt>regex</tt>). Since plugins change | |||
names between releases, and provide little else in the way of uniquely | |||
identifying details, these lists are meant to assist in identifying plugins | |||
already installed and matching them with PFS2 results. | |||
== | For example: | ||
[ | |||
{ | |||
"aliases": [ | |||
"literal": [ | |||
"Adobe Flash Player", | |||
"Shockwave Flash" | |||
], | |||
"regex": [ | |||
".*Flash.*" | |||
] | |||
], | |||
"releases": [ ... ] | |||
} | |||
] | |||
=== Plugin releases === | |||
The <tt>releases</tt> property points to an object, itself with two properties: | |||
; <tt>latest</tt> : The latest release for the plugin known by PFS2 | |||
; <tt>others</tt> : A list of other outdated and vulnerable releases of the plugin | |||
=== Plugin release descriptions === | |||
Each of the plugin releases are described by objects bearing some or all of the | |||
following properties: | |||
; <tt>pfs_id</tt> : <tt>pfs_id</tt> of the plugin within PFS2 | |||
; <tt>name</tt> : Name of the plugin | |||
; <tt>vendor</tt> : Name of the vendor providing the plugin | |||
; <tt>version</tt> : A dot-separated normalized version for the plugin, may differ from official vendor versioning scheme in order to maintain internal consistency in PFS2 | |||
; <tt>guid</tt> : A GUID for the plugin release, may differ between releases and platforms (unlike <tt>pfs_id</tt>) | |||
; <tt>status</tt> : Current status of the release, eg. <tt>latest</tt>, <tt>outdated</tt>, <tt>vulnerable</tt> | |||
; <tt>vulnerability_description</tt> : For status <tt>vulnerable</tt>, a short description of security vulnerabilities for the plugin release | |||
; <tt>vulnerability_url</tt> : For status <tt>vulnerable</tt>, a URL detailing security vulnerabilities for the plugin release | |||
; <tt>filename</tt> : Filename of the plugin as installed | |||
; <tt>url</tt> : URL with details describing the plugin | |||
; <tt>license_url</tt> : URL where the license for using the plugin may be found | |||
; <tt>manual_installation_url</tt> : URL for a manually-launched executable installer for the plugin | |||
; <tt>xpi_location</tt> : URL for an XPI-based installer for the plugin | |||
; <tt>installer_location</tt> : URL for an executable installer for the plugin (mainly for Windows) | |||
; <tt>installer_hash</tt> : A hash of the installer's contents for verifying its integrity | |||
; <tt>installer_shows_ui</tt> : (0/1) whether or not the installer displays a user interface | |||
; <tt>needs_restart</tt> : (0/1) whether or not the OS needs to restart after plugin installation | |||
; <tt>xpcomabi</tt> : '''''(Not sure, inherited from PFS1, need a description)''''' | |||
; <tt>min</tt> : '''''(Not sure, inherited from PFS1, need a description)''''' | |||
; <tt>max</tt> : '''''(Not sure, inherited from PFS1, need a description)''''' | |||
; <tt>app_release</tt> : Client app release for which the plugin is intended (* is wildcard) | |||
; <tt>app_version</tt> : Client app version for which the plugin is intended (* is wildcard) | |||
; <tt>locale</tt> : Client app locale for which the plugin is intended (* is wildcard) | |||
; <tt>os_name</tt> : Client app OS for which the plugin is intended (* is wildcard) | |||
; <tt>modified</tt> : Timestamp when last the release record was modified | |||
== | === Example response === | ||
$ curl -s 'http://dev.pfs2.mozilla.org/?mimetype=application/x-shockwave-flash&appID=%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D&appVersion=2008052906&appRelease=3.5&clientOS=mac&chromeLocale=ja-JP' | |||
[ | |||
{ | |||
"aliases": { | |||
"literal": [ | |||
"Adobe Flash Player", | |||
"Shockwave Flash" | |||
], | |||
"regex": [ | |||
".*Flash.*" | |||
] | |||
}, | |||
"releases": { | |||
"latest": { | |||
"status": "latest", | |||
"app_release": "3.5", | |||
"app_version": "*", | |||
"vendor": "Adobe", | |||
"pfs_id": "adobe-flash-player", | |||
"url": "http://www.adobe.com/go/getflashplayer", | |||
"modified": "2009-09-18T23:09:55+00:00", | |||
"app_id": "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}", | |||
"locale": "ja-JP", | |||
"version": "11.0.0.0", | |||
"license_url": "http://www.adobe.com/go/eula_flashplayer_jp", | |||
"guid": "{89977581-9028-4be0-b151-7c4f9bcd3211}", | |||
"xpi_location": "http://fpdownload.macromedia.com/get/flashplayer/xpi/current/flashplayer-mac.xpi", | |||
"os_name": "mac", | |||
"name": "Adobe Flash Player" | |||
}, | |||
"others": [ | |||
{ | |||
"status": "vulnerable", | |||
"app_release": "*", | |||
"os_name": "*", | |||
"vendor": "Adobe", | |||
"pfs_id": "adobe-flash-player", | |||
"url": "http://www.adobe.com/go/getflashplayer", | |||
"modified": "2009-09-18T23:09:55+00:00", | |||
"app_id": "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}", | |||
"vulnerability_url": "http://www.adobe.com/support/security/bulletins/apsb09-10.html", | |||
"version": "9.0.159.0", | |||
"license_url": "http://www.adobe.com/go/eula_flashplayer", | |||
"locale": "*", | |||
"app_version": "*", | |||
"name": "Adobe Flash Player" | |||
}, | |||
{ | |||
"status": "vulnerable", | |||
"app_release": "*", | |||
"os_name": "*", | |||
"vendor": "Adobe", | |||
"pfs_id": "adobe-flash-player", | |||
"url": "http://www.adobe.com/go/getflashplayer", | |||
"modified": "2009-09-18T23:09:55+00:00", | |||
"app_id": "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}", | |||
"vulnerability_url": "http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf", | |||
"version": "9.0.115.0", | |||
"license_url": "http://www.adobe.com/go/eula_flashplayer", | |||
"locale": "*", | |||
"app_version": "*", | |||
"name": "Adobe Flash Player" | |||
} | |||
] | |||
} | |||
} | |||
] | |||
= Client = | = Client = | ||
== Codebases == | == Codebases == | ||
* [http://svn.mozilla.org/projects/mozilla.com/ mozilla.com] | * [http://svn.mozilla.org/projects/mozilla.com/ mozilla.com] | ||
| Line 87: | Line 246: | ||
* stage - https://www.authstage.mozilla.com/ | * stage - https://www.authstage.mozilla.com/ | ||
* prod - http://www.mozilla.com/ | * prod - http://www.mozilla.com/ | ||
= General Algorithm = | |||
# Taking all the plugins in the browser | |||
# For each Plugin | |||
## Take all the mime-types in the plugin | |||
## For each mime type | |||
### Normalize the mime-type | |||
### concatenate them into a space delimited list | |||
### Query the Plugin Finder Service by mime-type and other parameters | |||
#### Take all the plugin infos which is the response | |||
#### For each info | |||
##### Try to match the alias literal `names` in the response to the plugins name | |||
##### Try to match the alisas regexs in the response to the plugins literal name | |||
###### if there is a match, use the info from this mime-type. Check version and vulnerability | |||
###### if all mime-types are exausted and no plugin name is matched, then this plugin is 'unknown', continue with next plugin | |||
== Matching info name to plugin name == | |||
This is a fragile piece of the algorithm. The PFS2 server has a 'name' field in the response. The client will try to match this against | |||
# plugin.name | |||
== Quantity of calls per plugin == | |||
Some plugins like Quicktime register 76 plugins. We'll want to have them all in the DB, so the first call by mime-type matches. | |||
The PFS2 Client limits on how many mime types will be concatentated together to keep the total characters below a configurable amount. If the mime-types exceed this, multiple PFS requests will be made for the plugin. | |||
== Mime-Type Normalization == | |||
Some Java Plugins like apples register many mime-types, because the mime-type includes platform version information like: | |||
application/x-java-applet;version=1.3 | |||
application/x-java-applet;version=1.5 | |||
We can normalize these, since ; isn't a valid character in a MIME type. | |||
== Plugin Release Statuses == | |||
For a given app id, platform, etc a list of releases of plugins are returned. | |||
The following are the status states a plugin can be in | |||
# DISABLE - "vulnerable" - also no newer release known | |||
# VULNERABLE - "vulnerable" An exploit is published against this specific release number | |||
# OUTDATED - "outdated" or version detection shows the plugin is known and older than a known plugin version | |||
# CURRENT - "latest" exact match of the latest known release | |||
# UNKNOWN - Either no plugin match was made, or the version of the plugin in the browser cannot be detected for some reason | |||
[https://bugzilla.mozilla.org/show_bug.cgi?id=514004 We need to spec out the vulnerability mechanism] | |||
== Generic Plugin Version Comparison == | |||
Current vs Out of date compares version components from left to right. Example: | |||
5.10.3 compared to 5.11 | |||
# explode verison on '.' | |||
# compare 5 to 5 | |||
# compare 10 to 11, 5.11 is higher | |||
== Unknown and Newer plugins == | |||
The client library will record unknown plugins by requesting a well known 1 pixel image and encode the plugin info into the request. These details can be harvested from web logs in a low tech way in bulk, at our leisure to discover popular plugins not in the DB. | |||
= Related Information = | = Related Information = | ||
* | * [[Plugins:PluginCheck]] | ||
* | * [[Firefox/Projects/Plugin Update Referrals]] | ||
* | * [[Website/Sprints/PluginProblem]] | ||
* | * [[Security:ThePluginProblem]] | ||
* | * {{bug|465898}} | ||
* http://theunfocused.net/2009/08/22/status-update-2/ | * http://theunfocused.net/2009/08/22/status-update-2/ | ||